Re: where to submit low security vulnerability in .profile?
On Mon, Jun 19, 2017 at 06:00:58PM +0200, Nicolas George wrote:
> Le primidi 1er messidor, an CCXXV, Henrique de Moraes Holschuh a écrit :
> > That said, no, it is not usually considered a security vulnerability,
> > because NOT using the full path to run commands such as "su" and "sudo"
> > in the first place IS considered gross negligence.
>
> If your account has been compromised so much that an attacker was able
> to add something in ~/bin/, then using the full path of the commands
> does not bring any extra security.
Henrique, I believe, was describing an attack that works like this:
1) Login.
2) PATH=~/bin:$PATH
3) vi ~/bin/su (insert malicious code); chmod 755 ~/bin/su
4) Call the system administrator, and get him/her to come to your desk.
5) Get the sysadmin to run "su -c something" for you at your desk.
This runs your password-capturing program, which records the root
password somewhere you can retrieve it after the sysadmin leaves.
This is not an attack vector I had previously considered, so thanks
to Henrique for pointing it out. Nevertheless, I don't think this
justifies any requests to change the default PATH in /etc/skel/.profile.
The attack can be carried out as described above regardless of what
Debian does in /etc/skel/.
Reply to: